On March 25, 2015, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced asettlement with PayPal, Inc., the money services business, to resolve apparent violations of multiple U.S. economic sanctions programs. PayPal’s settlement serves as a reminder to financial services firms of the importance of maintaining an adequate sanctions compliance program that incorporates sufficient controls to catch and block prohibited transactions.

The bulk of PayPal’s $7,658,300 settlement amount was attributable to transactions to and from the PayPal account of Kursad Zafer Cire, whom the U.S. sanctioned in 2009 for his involvement in the A.Q. Khan nuclear proliferation network. Because Cire was a Specially Designated National (SDN) under the Weapons of Mass Destruction Proliferators Sanctions Regulations, PayPal was prohibited from processing transactions involving his account and from providing any services to him. In all, PayPal processed 136 transactions totaling $7,091.77 to or from Cire’s account between October 2009 and April 2013. Eventually PayPal’s sanctions compliance program effectively blocked Cire’s account, and thereafter PayPal disclosed the transactions to OFAC.

OFAC deemed PayPal’s processing of Cire’s 136 transactions “egregious” violations because, in OFAC’s opinion, a series of failures in PayPal’s sanctions compliance program demonstrated “reckless disregard” for regulatory sanctions requirements. (Under the settlement agreement, PayPal did not admit to any apparent violations.) The settlement agreement makes clear that the company had a sanctions compliance program when the Cire transactions occurred. However, the program contained several significant weaknesses that PayPal ultimately discovered and subsequently reported and remedied.

PayPal’s automated interdiction software failed to identify Cire as a potential match to OFAC’s SDN list for approximately six months after Cire’s designation. When the software did eventually flag Cire’s account, PayPal’s risk operations agents dismissed the alerts on multiple occasions. As described in the agreement, the risk operations agents misunderstood the significance of the alerts and failed to follow PayPal’s internal procedures for handling SDN matches. Not only did OFAC deem these control failures as egregious violations, but the agency also found PayPal’s sanctions compliance program to be inadequate, a finding which constituted an “aggravating factor” in the agency’s determination of the appropriate settlement terms with PayPal.

Despite these deficiencies in PayPal’s compliance program, OFAC and PayPal arrived at a settlement amount that constituted a fraction of the total maximum penalty authorized for the prohibited transactions covered by the agreement. OFAC granted PayPal credit for its self-reporting of the Cire transactions as well as other non-egregious sanctions violations, and also found several mitigating factors present. Significantly, OFAC cited PayPal’s extensive efforts to improve its compliance program and internal controls. PayPal hired new compliance management, addressed issues in its payment system, and strengthened its screening processes and controls. Moreover, according to OFAC, PayPal substantially cooperated with the agency’s investigation by, among other things, “submitting the relevant documents and information in a clear and organized fashion, answering numerous follow-up inquiries for information over the course of OFAC’s investigation, and by entering into a statute of limitations tolling agreement and extension to the agreement.”

PayPal’s settlement with OFAC serves as a reminder that financial services companies must recognize the risk that OFAC-sanctioned countries or persons may well attempt to transact business with or through them. These companies must implement and maintain compliance programs and internal controls sufficient to address those risks. This is particularly critical given OFAC’s increased enforcement efforts. Merely having a screening process in place is insufficient if the process is ineffective at blocking transactions with prohibited parties. As the PayPal settlement illustrates, repeated failures of an existing compliance program to catch transactions with an SDN could lead to a finding that a financial services company recklessly disregarded its obligations to comply with U.S. sanctions laws, and that such transactions constitute egregious violations worthy of higher penalties.